E172 - Sean Vargas-Barlow, Senior Global Privacy, Product, and AI Counsel
35:28
SUMMARY KEYWORDS
privacy, data, personalization, ai, talk, ftc, counsel, thoughts, companies, cross border, point, understand, clauses, important, people, detective, business, regulation, terms, framework
SPEAKERS
Debbie Reynolds, Sean Vargas-Barlow
Many thanks to “The Data Diva” Talks Privacy Podcast “Privacy Champion” MineOS, for sponsoring this episode and being a supporter of the podcast.
With constantly evolving regulatory frameworks and AI systems set to introduce monumental complications, data governance has become an even more difficult challenge. That’s why you need MineOS. The platform helps you control and manage your enterprise data by providing a continuous Single Source of Data Truth. Get yours today with a free personalized demo of MineOS, the industry’s top no-code privacy & data ops solution.
To find out more about MineOS visit their website at https://www.mineos.ai/Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva”. This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, a fellow Chicagoan, Sean Vargas Barlow. She is a Senior Global Privacy Product and AI counsel and has been for several corporations. Welcome.
Sean Vargas-Barlow 00:42
Thank you. Glad to be on the show.
Debbie Reynolds 00:45
Yeah, you're a doll. So, we met on LinkedIn, and you reached out to me. And we ended up having lunch in Greektown, one of my favorite places to go to in Chicago. And since then, we've done a couple of things together, I had you come with me to speak at a particular event. I think you asked me to speak at something. So we're always trying to find ways to connect to do things together. But I think you just have such an interesting background, and your knowledge in privacy is tremendous. Also, you just have a great personality that you're really spunky.
Sean Vargas-Barlow 01:25
Spunky? Ok, well, I know I asked you a question when we had lunch. And I said, so what do you think is going to happen first? Will we have the first US female president? Or will we have a comprehensive Federal privacy law in the US? I said, what do you think is going to happen first? So that's kind of a spooky question. I don't remember what you said. First, I think you just laughed.
Debbie Reynolds 02:01
Oh, I know. Those are definitely pie in the sky at this point, I believe. Tell me a little bit about your career trajectory and how you got interested in privacy.
Sean Vargas-Barlow 02:16
I like to think that I was into privacy before it was cool. So, I think that in 2003, I earned an LLM in privacy law and IT law. That's way before GDPR. So, I think that I've always had a passion for technology and the intersection of technological developments in issues like privacy. That's always been sort of a passion of mine. I had a great experience at Accenture, where I worked first as sort of commercial counsel, but I was always, always had my goal was I wanted to be privacy counsel. So, I wrapped up all of these certifications. I did whatever I could, in terms of positioning myself to get that privacy counsel role. It was a chance also for me to deliver value by kind of enabling the business. I definitely don't want to be a privacy counsel where the answer's no, no, you can't do this. No, it's like it's funny; how do you enable the business, which is building consumer or customer trust, by safeguarding privacy while at the same time figuring out a way in which they can achieve their objective responsibly?
Debbie Reynolds 03:41
That's fascinating. I always love to hear stories about how people did that transition or that pivot in their career because as you say, I think my interest in privacy, for me it was a personal one; it started in the 90s. Right? No one cared about it then. And I thought it was really interesting. And so I sort of merged it together with my technology career. And so then here we are.
Sean Vargas-Barlow 04:08
And here we are. Yeah, yes, I think you have to have sort of a drive. Because I think that my career is very unique and not my first counsel position was at the Office of the Public Guardian. So, I was representing abused and neglected kids in Juvenile court. And while I was having an impact and making a difference, that wasn't the area of law that I wanted to practice long-term. So, while I was handling 140 cases, I got two Masters of Law, one in IT and privacy and another one in IP law. And so that was working. It was a really tough job, and then working hard, and doing these LLM jobs. So, it was a lot of drive and passion that I had in my mind where I wanted to go. And I think a career is a marathon. And I'm really inspired by Diana Nyad's story where at the age of 60, after her fifth attempt, she swam from Cuba to Florida. She had to overcome a lot of obstacles she had her eye on. I'm going to find a way; there were sharks that she could be stung by jellyfish, altogether lethal. And I think that in our journey, I always had a passion for privacy and also emerging technologies. But there's been obstacles on the way, and it takes a lot of drive and passion. And not giving up.
Debbie Reynolds 05:45
I agree with that. I agree with that. I want to touch on something that you said that I think is very important. And I want your thoughts on this. And that is not just the drive and passion, definitely that, but there's an element of self-learning. That has to happen. I think, if you want to really succeed in a privacy career, especially if you're trying to go into a career, that's not like your job. Now, tell me a little bit about that. Because I think people feel like, oh, no one's going to hire me for privacy. It's like, well, are you volunteering? What are you doing? Are you reading the cases? Are you keeping up with technology? What are you doing your other outside job time to really hone your skills in that area? I want your thoughts.
Sean Vargas-Barlow 05:54
That is such an excellent question. I think that you point to a really important skill, which is learning agility. And I think that if someone wants to sort of get into privacy, I think it is your volunteering, getting involved in the IAPP network. I think that you also don't have to think about that you need to know everything about privacy. I mean, I've been practicing in the privacy space for a long time. And I still don't know everything. And it's so hard to keep up with all the different changes. I think it's all about your attitude and also getting involved in discussions. I just joined an AI book club. So, I'm looking forward to conversing with other interested professionals about AI. So, I'm constantly learning.
Debbie Reynolds 07:42
Absolutely. And then, you know, just maybe take that one step further beyond your self learning, I highly recommend that people find a way to get plugged into maybe, let's say maybe there's an organization that does standard or something that you're interested in, that helps you maybe even network with other people on a project. So, for example, I think you had invited me to do a talk about privacy and health care. And that was an organization I can't remember the name, ACC, right? Yeah. ACC right. Yeah. ACC, where you're collaborating with other people who are in these spaces, you're able to show your thought leadership there. Those are things that I highly recommend. So when people come to me like, hey, how can I get plugged in? I'm like, are you plugged into any organization where you can contribute and that work and be able to really hone your skills? What are your thoughts about that?
Sean Vargas-Barlow 08:46
Yes, I think participating in projects, what others are, and sometimes even creating your own project. Like I created my own projects, I'm collaborating with someone that I used to work with at Accenture on a book on AI. And so I'm like, I just created my own project. Sometimes, you try to network with others and learn from others. But sometimes, you can create your own project. And then just think about what you want to bring to the project. It's about giving, not just necessarily taking, and what's the sort of impact that you want to have on the project?
Debbie Reynolds 09:25
Yeah, definitely next-level thinking, I agree. You know, this is a space where it's new enough where everyone can have their own niche, so to speak, and their own point of view? And so being able to do thought leadership and all those ways, including writing a book, I think that's fantastic. I can't wait to read it.
Sean Vargas-Barlow 09:46
Oh, thank you.
Debbie Reynolds 09:47
I think that'd be definitely great. Let's talk a little bit about just career and privacy. I remember I used to put out Google alerts for privacy. This is like before GDPR and there would be nothing for years, right? No one was writing about privacy. No one was talking about privacy or GDPR. Even in the US, it took until May 2018 before you actually saw articles and papers that were really about privacy and stuff. And now it's like a fire hose. But tell me a little bit about what's happening in privacy careers; what are you thinking about what people should be thinking about where we are now because you were interested in privacy at a time when people really weren't paying attention. Now, because it's such a hot issue, I think that career trajectory could be a bit different; I just want your thoughts on that.
Sean Vargas-Barlow 10:42
I would look at IAPP and how it's grown. You can also think about your own career in that way, like, IAPP is still very, very focused on privacy. But now they're realizing that privacy professionals are really being called to step up and lead on AI governance. And because of our experience of putting in place, like a privacy governance program at different companies, and conducting privacy impact assessments, and all of those skills. So I think that for me, I'm thinking in terms of what am I passionate about, privacy? And then what areas do I want to maybe expand into as well, and that, for me, it is moving into a space where I leverage my privacy skills and experience and transfer those to kind of helping with AI governance. If you're starting in your career, or you're maybe mid-level in your career, I think that you may end up seeing a pivot to Data Privacy professionals, shipping data professionals because there are so many different, such as regulations of Data Privacy, building EU Data Act regulating data itself. Those are just my thoughts.
Debbie Reynolds 12:03
Yeah, I agree with that. Well, I'm a data person. So that's kind of my background.
Sean Vargas-Barlow 12:08
You're "The Data Diva"!
Debbie Reynolds 12:11
I think those skills can be transferable. One gap that I see a lot in this space, and I think it's going to be challenging, first of all, is that you still need data people; right, in this governance space, there are people who have been doing this for a really long time. So I think that as people think maybe privacy people or people who are trying to pivot into privacy or try to hone their skills in AI, I think, firstly, the technological innovations are going to be key terms of people needing to understand not just technology, but understanding how to work cross-functionally within an organization. What are your thoughts?
Sean Vargas-Barlow 12:58
I think that working cross-functionally is really important. I think that I could just speak from my perspective at the companies I worked for, Accenture, Cognizant, and HRAS, where I've had to partner very closely with engineering and product teams, like building privacy by design into different product or service offerings. And I think it's being able to understand their perspective and where they want to go. And then I also think that there's also sometimes you have to be your translator, and as a translator, kind of going back and forth, because you may be talking to a software engineer. And you have to know enough about tech to kind of understand the tech stack, but they're translating their concepts to you as an in-house counsel. But then I'm also translating some concepts to the business professionals that I'm working with, in terms of what is anonymization, very specific, like legal definition. And so I am having to translate. So it's being able to work collaboratively and understand and have translate have a common language. And then also working cross spatially to define what those requirements are, what do you need to have, what would you like to have, and then what risk you're willing to take? And just being able to be conversant? Talking with people with different backgrounds is very key. But that's not just for privacy. That's across the board, being able to work cross-functionally because everyone's coming at their own different perspective.
Debbie Reynolds 14:33
I think that's true. I think that's a skill that is going to become even more in demand. As we see companies implement AI systems and it touches data, all points within an organization. So those people like you have a skill set that you'll be in much higher demand than people who are more like the Santas workshop with the blinders on and just working on one thing. I definitely think so.
Sean Vargas-Barlow 14:59
I think you raise a really good point being in Santa's workshop. I think that companies that have really seen a lot of growth are companies that are doing away from a silo mentality. Because I've actually talked about seeing this workshop, I think you're talking about silo mentality. And it's all about being a team. It's not just the marketing team versus the legal team versus the engineering team. That's we're all kind of one team, and it's in a silo. And I think that when I was at Cognizant, the General Counsel, was talking about breaking down those silos and working cross-functionally. And that was really important. And I was really inspired by that. So getting rid of that silo mentality, like your point, that was a great point.
Debbie Reynolds 15:01
Yeah, now we've had some deep thoughts and deep conversations on privacy, just in general about the future. One thing that we have some chats about that I would love your thoughts on, and that is personalization. Okay. So when I hear the word personalization, when someone talks about the technical term, my privacy sirens go off on personalization. So, personalization means that companies want to tailor more experiences to the individual. In order to do that, they're typically collecting more information. Obviously, if it was a business or consumer thing. Some of that is voluntary. So the person consents to give someone more information about it. But I just learned I have a couple of concerns. But one of my bigger concerns is that someone or organizations have, in the past, run afoul of privacy regulations or data governance issues because the data may have been collected for one purpose, but it's used for another purpose within the organization. So, give me your thoughts on the perils of personalization. As it relates to privacy,
Sean Vargas-Barlow 17:05
The perils of personalization. That sounds like that could be a book title. Maybe that could be our next panel together. That would be great. The perils of personalization. Yes.
Debbie Reynolds 17:16
We have to do that. Yeah.
Sean Vargas-Barlow 17:20
I think that, well, going back to the idea of those different perspectives, right? So the business perspective is what we want to personalize. Because it is going to help us deliver more value to the customer, right, and our AI will give us more insights into the customer so we can improve our products. So, personalization is seen as my desired business goal, a business objective. And I think that I try to be a trusted business partner, and I say, okay, I see where you want to go. But part of that journey is that you want to also make sure you build consumer trust; yes, there's a path of personalization. If you don't factor in consumer trust, then everything that you've done could be undone, and potentially even reputational damage or FTC actions. If and when we're talking about the perils of personalization, you don't take into account to make sure that there's proper transparency. And in some cases, you also may need to get consent, depending on where the jurisdiction is. Then you also have to understand what the purpose is; you made a great point about the purpose; sometimes, when you want to do personalization, it's almost like a two-parter. It's sometimes business teams want to first; we don't know exactly what we want to do, but we just want to get the data and do some R&D on it. And then we want to figure out how we can better personalize and get consumer insight. So there's like you're saying, you may have one purpose right now you just want to train and then you have a secondary purpose, like later on, you want to take those insights, and then use something with it. So I think then it's about talking about, you know, how do you get to that path, depending on each of those objectives? Just think about Open AI. There's many complaints. And also, there's FTC investigations and things like that. But even just thinking about from a consumer perspective, what you're using my data to train the AI ml models, and so there was response, right? You can make a request. But you have to think about those things. You have to think about consumer trust. I know I've been talking about so I want you to have a chance to hear your reflections?
Debbie Reynolds 19:31
I agree with that. We've had a guest, a dear friend, Andowah Newton. She was the former General Counsel at Louis Vuitton Hennessy and Moet. And she had a great episode. She talks a lot about personalization. So companies really like it because they feel like you said, it brings more value to the customer. It brings more revenue, right? It can engender more data sharing, right people trust the company. They'll share more data with them, but then that flip side is making sure that that data is used for the purpose that was intended to and it doesn't get lost. To me, that goes back to that governance question, right, about, okay, this is what you have data for, this is what you can use it for, then you have to think about the purpose. So I think that somehow, the way companies have handled data in the past, if they don't have that lineage in mind, or they lose the purpose or lose the plot, about how the data is handled, they can definitely run afoul of privacy laws and end up in hot water. This is really a typical example because I can't remember what company, but it was a big company, one of the biggest companies, they had gotten into some hot water because they had collected some data for multifactor authentication. And then the marketing people say, hey, let's use this information for marketing. And it's like, wait a minute, then FTC jumped in, I think this was Twitter as a matter of fact, FTC jumped in and like, hey, you can't do that. You're not supposed to do that, right? Because the people who are giving you their information for two-factor authentication never intended to have that information used for marketing purposes.
Sean Vargas-Barlow 21:12
Exactly. And that violates consumer trust, but I gave you data for one thing, and then now, I give you the data just for you to get the service. But now you're selling it to these third-party advertisers. And I didn't know you were gonna do that. And that violates the trust. You talked about data lineage, I was thinking of how sometimes I'm a Data Privacy professional. But sometimes I feel like I'm a data detective where I'm trying to figure out the data lineage. I joke to my husband as a former Chicago Police detective. But I said, yes, I'd like to think of myself as a very friendly data detective when working the house just okay, so the data, where did you get the data from? And was it personal data? Then like, what did we disclose at the time, or to the customer about what it was used for, and then even have to even do more, let's say it's from a third party, but then that third party also gets the data from other third parties. When I was at Accenture, I had to do a lot of data sourcing due diligence. And then terms of what consents do the third party get? And then what did they require from their third parties? So again, it's like a data detective. Maybe that could be my moniker, like your day to day be like data detective. I love it. But I don't think anyone would watch. I don't know if I had like a little show on it. I don't know if anyone would watch it. Because I don't know if it's that exciting. When I go to parties, everyone, when I tell, they ask me, what do you do? And they bought Data Privacy. And then they asked my husband, what do you do at the time? He was the Police Officer, and everyone wanted to talk to him. And you're like, he always sort of simplifies what I do. He was like, oh, you know, those privacy notices like those HIPAA notices. That's what she does. So much more exciting. But everyone wants to talk to him. But maybe if I said I'm a data detective, they'd be more interested.
Debbie Reynolds 23:10
I know, I know, I think you always have to bring it down to the customer level, right? The things that they're interested in, you don't want Facebook to steal your data, whatever. You know, it's so funny because I have had conversations with people who say they don't really care about privacy. You talk to them, like five minutes. And they're like in an uproar, right? Their face is red. They're like, ah, hands are flailing and stuff like that once they figure out what's going on, right? So I think, because people are very self-interested and you bring it down to a personal exam, you'd be the belle of the ball. And we want to be chasing you down at parties trying to figure out hey, how do I do this on my phone, stuff like that?
Sean Vargas-Barlow 23:47
I think I just need to go to a party with you. You should come to a party with me and my husband. And then I would love to see you do that. Like, outshine him. Not that it's a competition or thing but I would just love it. Everyone would start turning to you. And then you show me how you do it to get people super excited.
Debbie Reynolds 24:09
That's right. That's right. Yes, yes, we should do that. That'd be so much fun. Oh, my goodness, what is happening in the world right now, whether it be privacy or technology that's concerning you, something you see like, oh, wow, oh, I don't know if I like this.
Sean Vargas-Barlow 24:26
I don't know if I like this?
Debbie Reynolds 24:28
Or just concern. Just something getting your attention.
Sean Vargas-Barlow 24:33
Well, I think other parents I think that I'm I was concerned about when I learned that my son had a Chat GPT account. And I thought, well, yeah, there's probably lots of kids that have Chat GPT accounts and then I'm thinking of COPPA, or he also uses Roblox To get them thinking about how they're using that data in Fortnite. Fortnite's gotten into trouble with that. So I think that you're seeing more like FTC enforcement actions about misuse of not complying with COPPA and not getting the appropriate verifiable parental consent. So yeah, so from a parent's perspective, yeah, I'm concerned about that, from an in-house privacy counsel. I'm trying to add Fortune 500 companies who work and have locations all across the world; it is trying to come up with an appropriate framework. So, in the US, you have all these different privacy laws that are kind of popping up, and you see some similar threads. And then let's expand the view and just think about what is going on with cross-border regulation. If you think about it, cross-border data is so important in terms of facilitating teleworking, virtual collaboration, and delivering services; it's like the blood of the digital economy to be able to enable cross-border information flows. But you have all these different countries that have their own spin on do you develop a compliance mechanism. And then also, if you think about it, it could be really crazy. Well, it is crazy if you're entering into contracts, and then there's multiple cross-border data transfer flows. So standard contractual clauses for the EU, then you have to do a transfer sort of impact assessment. And then let's say Argentina has its own clauses. And then let's say you have data that's coming from China, then you have to assess whether or not it's important data, do important data, they have to do a security assess, and then you also could have just different countries may have their own model clause, you can have like a whole contract that it's really very cumbersome. Right. And it's like, I think we need to move to a path of recognizing more frameworks. I mean, there are concerns about cross-border data transfers, and I understand the need for some sort of regulation, but maybe you can recognize the standard contractual clauses; you got to make sure you have appropriate settlement measures. So I've talked a lot, and I want to get your thoughts on my concerns around cross-border transfers and the regulation of challenges of multinational companies and complying with that.
Debbie Reynolds 27:26
Yeah, it's hugely challenging. I've been doing cross-border transfers before they were even standard contract clauses; I'm dating myself at this point, right? And I think almost every year, IPP or different companies do surveys about the toughest part of the Data Privacy job; a lot of times, cross borders off the top of the list because it is complicated, right? So we have all these new laws, we have all these new clauses, different countries do things, different ways, one framework that I like a lot, and I think the US coastline, and that they support this, and that's the APEC privacy framework because I think the important thing that they recognize, they're like, look, we aren't the same. But there are some foundational principles that we need to share in some ways, and then we need to respect some of those more specific things per country. So having that approach, I think is better, easier. A type of cross-border situation, as opposed to the idea, we do things like this, and you need to be like us, right? I just think that's just not going to work. That's just not realistic. The example I give about this is like, you know, after September 11, in the US, there was this person who tried to go to the airport in the US with a shoe bomb, but he was not successful. But as a result of that, for 20 years now, plus, you'd have to take off your shoes at the airport in the US, right? So I travel all over the world, and I don't have to take my shoes off when I go to Europe or South America or whatever. Right. So that's a very US-specific thing. Right? The other countries did not experience this. So we have differences culturally, I think, in the way that we approach different things. I don't think it's helpful to say you need to be like us, right? Because I think every jurisdiction has its own history in Europe, Europe had Nazi Germany. So that's why, for them, privacy is a fundamental human right. And for them, it's okay. We achieve privacy by not sharing too much. In the US. I feel like especially after September 11th, it's like, well, you need to get more information, and then we'll be more secure in some way. Right? So it's a very different approach, but I don't think that we're going to reach a level of sanity on it until we realize we are not the same but then we need to have some foundational principles that we can share. What are your thoughts?
Sean Vargas-Barlow 30:11
I agree with you in terms of trying to understand what is the history and the cultural influences in terms of understanding countries’ perspectives when it comes to cross-border data transfer flows. I also think that with digitization and globalization, it's important for the digital economy to have trustworthy cross-border transfer flows. So, like you said, that APAC framework or having foundational principles to make sure that the data is handled responsibly and with appropriate security, I think that these one-off regulations that maybe aren't transferable are another sort of unique regulatory hurdle that you have to overcome. It can be challenging for multinational companies and law firms who want to do the right thing. It's create a pass so that you can do that. And so having something like APEC would be really helpful, like more of those, or one. One global, that's right, let's dream big. One is a global cross-border framework.
Debbie Reynolds 31:26
Yes, one one big global.
Sean Vargas-Barlow 31:30
It's going to be bigger than Taylor Swift's Eras tour, and we got to think that.
Debbie Reynolds 31:34
Oh, my goodness, that's so funny. I think that's true. That's true. I don't know, once I saw Europe trying to update their Data Directive. I thought, hey, someone on the international level is going to take the reigns over this and say, hey, we need an international something that just has not happened. I'm like, hey, where are you? Where are you? I don't know.
Sean Vargas-Barlow 32:02
Yes, at last, we now have data controller and processor in our terminology, and many of the same principles and means, there are definitely important differences. But it's also, you know, Fluence, even PIPL. I've heard it say different ways it's influenced. Yeah. And that it will also happen with the EU AI Act.
Debbie Reynolds 32:24
Absolutely. That's true. That's true. Yeah, I guess it's coming from a different angle. But yeah, there is definitely influence, and there's data information sharing amongst jurisdictions. So I'm always happy to see when the language is somewhat more similar as opposed to cities, States, and Provinces trying to come up with something new, reinventing the wheel. So if it were the world according to you, Sean, and we did everything you said, what would be your wish for privacy anywhere in the world, whether that be technology, regulation, or human behavior? What are your thoughts?
Sean Vargas-Barlow 33:01
I would say that there needs to be responsible AI regulation with fundamental principles because the train has really left the station. And I think that is concerning. But it'll be my one wish from a Data Privacy perspective. And then world peace. It kind of reminds me of, I don't know if you've seen Miss Congeniality with Sandra Bullock. She's an undercover FBI agent, and her undercover persona is being a beauty queen. And so at her speech, they asked her, what does what she wanted; the pageant question of hers was like, well, I want tougher penalties for criminals and world peace. So I'm doing the same thing. I want responsible AI regulation and world peace.
Debbie Reynolds 33:51
There you go. Excellent. Yeah, you've got to go swinging for the fence shot. Very good. Very good. Yes. Well, it's been such a pleasure to have you on the show. I'm sure we're going to collaborate some more and do a lot more stuff with Chicago stuff in the future. So this would be a lot of fun. But thank you so much. This has been fantastic.
Sean Vargas-Barlow 34:15
Yeah, it's been a lot of fun. Thank you so much for inviting me. I love your podcast. Thank you.
Debbie Reynolds 34:20
Thank you. Thank you. We'll definitely talk soon. Thank you so much again.
Sean Vargas-Barlow 34:24
Alright. Take care. Bye bye.
Debbie Reynolds 34:25
All right. Bye bye.